RE: Database driven ACL

Mon, 29 Feb 2016 14:02:05 -0800 

As the Perl folks say: TMTOWTDI (There's More Than One Way To Do It)

Those who are familiar and/or conversant with structured-database technologies 
tend to gravitate towards a structured-database-centric approach.

Those who, conversely, think structured databases are overkill, or for whatever 
reason eschew that approach, will use other methods, such as storing meta-data 
in the DNS itself.

There are pros and cons. One particular "pro" of an "in-DNS" approach is that 
one already has a robust replication mechanism built into the protocol. Another 
"pro" is that the data can be accessed casually using the same tools (e.g. 
"dig") that the same people (typically) use for troubleshooting run-of-the-mill 
DNS issues. One "pro" of a structured-database approach, on the other hand, is 
that it is extensible, so if one wants to "hang" other types of data on DNS 
Records (e.g. asset info, location info, links to ITIL-oriented repositories 
such as a CMDB, etc.) it's not that hard to extend the schema to accommodate 
such things. Another "pro" of a structured-database approach is the wealth of 
APIs that can be used to access and possibly to manipulate the (meta-)data.

Don't overlook the information-security aspect. If your ACLs are stored in DNS 
itself, then hopefully you have everything DNSSEC-signed and validated. 
Otherwise, you might be one forged packet (or, in the case of TCP, a few 
well-placed forged packets) away from having your ACLs compromised...

                                                                                
                - Kevin

-----Original Message-----
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg
Sent: Monday, February 29, 2016 4:11 PM
To: bind-users@lists.isc.org
Subject: Re: Database driven ACL

On 2/29/16, 4:04 PM, "/dev/rob0" <bind-users-boun...@lists.isc.org on behalf of 
r...@gmx.co.uk> wrote:

>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB query 
>> instead of editing the config file or reading/writing into a text 
>> file ?
>
>I like this idea.  I'd further suggest using either:
>  1. An abstraction layer such that any DB backend might be used; or
>  2. sqlite3

Would also be cool to have a meta-zone or type (overlay similar to RPZ
perhaps?) that could be used to configure DNS options.

Then your existing DNS tools could act as your management interface.

AlanC


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to